📄 Description (English)
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects the function UPnP_AV_Server_Path_Del of the file /cgi-bin/app_mgr.cgi. Executing a manipulation of the argument f_dir can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been published and may be used.
🤖 AI Executive Summary
A critical stack-based buffer overflow vulnerability exists in D-Link NAS devices (DNS and DNR series) affecting the UPnP AV Server functionality through the /cgi-bin/app_mgr.cgi endpoint. The flaw allows remote attackers to execute arbitrary code by manipulating the f_dir parameter, with public exploits already available. This poses an immediate threat to organizations using these devices for network storage and backup operations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 16:02
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in banking, government, healthcare, and energy sectors utilizing D-Link NAS devices for centralized data storage and backup are at significant risk. ARAMCO facilities, SAMA-regulated financial institutions, and government agencies (NCA, MOI) relying on these devices for critical data management face potential data breach, system compromise, and operational disruption. Telecom operators (STC, Mobily) using these devices for network infrastructure storage are also vulnerable. The lack of available patches creates an extended exposure window.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Institutions
Energy and Utilities (ARAMCO)
Telecommunications (STC, Mobily)
Education and Research
Enterprise IT Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify and inventory all D-Link DNS/DNR series devices in your environment using network scanning tools
2. Isolate affected devices from internet-facing networks immediately; restrict access to trusted internal networks only
3. Disable UPnP functionality if not operationally required via device web interface
4. Implement network segmentation to limit lateral movement from compromised devices
COMPENSATING CONTROLS (until patch available):
5. Deploy Web Application Firewall (WAF) rules to block requests to /cgi-bin/app_mgr.cgi with suspicious f_dir parameters
6. Implement strict input validation rules: block requests containing path traversal sequences (../, ..\ ) in f_dir parameter
7. Monitor for exploitation attempts using IDS/IPS signatures detecting buffer overflow patterns
8. Enable detailed logging on affected devices and forward logs to SIEM for analysis
9. Restrict administrative access to device management interfaces using IP whitelisting
10. Consider replacing affected devices with patched alternatives from D-Link or alternative vendors
DETECTION RULES:
- Monitor HTTP POST requests to /cgi-bin/app_mgr.cgi with f_dir parameter exceeding 256 bytes
- Alert on UPnP_AV_Server_Path_Del function calls with abnormal parameter lengths
- Track failed authentication attempts and unusual process execution on NAS devices
- Monitor for reverse shell indicators and unexpected outbound connections from NAS devices
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد وحصر جميع أجهزة D-Link DNS/DNR في بيئتك باستخدام أدوات المسح الشبكي
2. عزل الأجهزة المتأثرة عن الشبكات المتصلة بالإنترنت فوراً؛ تقييد الوصول إلى الشبكات الداخلية الموثوقة فقط
3. تعطيل وظيفة UPnP إذا لم تكن مطلوبة تشغيلياً عبر واجهة الويب للجهاز
4. تنفيذ تقسيم الشبكة لتحديد الحركة الجانبية من الأجهزة المخترقة
الضوابط البديلة (حتى توفر التصحيح):
5. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات إلى /cgi-bin/app_mgr.cgi بمعاملات f_dir مريبة
6. تنفيذ قواعد التحقق من صحة الإدخال الصارمة: حجب الطلبات التي تحتوي على تسلسلات اجتياز المسار (../, ..\ ) في معامل f_dir
7. مراقبة محاولات الاستغلال باستخدام توقيعات IDS/IPS التي تكتشف أنماط تجاوز المخزن المؤقت
8. تفعيل السجلات التفصيلية على الأجهزة المتأثرة وإعادة توجيه السجلات إلى SIEM للتحليل
9. تقييد الوصول الإداري إلى واجهات إدارة الجهاز باستخدام القائمة البيضاء للعناوين
10. النظر في استبدال الأجهزة المتأثرة بأجهزة معدلة من D-Link أو بدائل من بائعين آخرين
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.2.1 - Monitoring and logging of access
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - Security patch management
DE.CM-1 - Detection and analysis of anomalies
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy and procedures
A.12.4.1 - Event logging
A.13.1.1 - Network security perimeter
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 5
🔗
https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_165/165.md
cna@vuldb.com
Exploit
Third Party Advisory
🔗
https://vuldb.com/submit/780434
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/354347
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/354347/cti
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://www.dlink.com/
cna@vuldb.com
Product
📦 Affected Products / CPE 20 entries
dlink:dnr-202l_firmware
dlink:dnr-326_firmware
dlink:dns-1100-4_firmware
dlink:dns-120_firmware
dlink:dns-1200-05_firmware
dlink:dns-1550-04_firmware
dlink:dns-315l_firmware
dlink:dns-320_firmware
dlink:dns-320l_firmware
dlink:dns-320lw_firmware
dlink:dns-321_firmware
dlink:dns-322l_firmware
dlink:dns-323_firmware
dlink:dns-325_firmware
dlink:dns-326_firmware
dlink:dns-327l_firmware
dlink:dns-340l_firmware
dlink:dns-343_firmware
dlink:dns-345_firmware
dlink:dns-726-4_firmware